Are You Behind the FedRAMP Curve?

Are You Behind the FedRAMP Curve?

Two and a half years ago, the General Services Administration (GSA) released the Federal Risk and Authorization Management Program (FedRAMP), a set of security standards for uniformly assuring the security of cloud services providers (CSPs) that want to contract with government agencies.

Spurred by the federal government’s renewed push toward adopting cloud services, FedRAMP compliance is once again building momentum. Twenty-seven organizations have officially achieved certification standards, and many others are expected to follow suite now that the GSA has unveiled its new FedRAMP roadmap.

The roadmap, which was released in January, outlines the planned evolution for FedRAMP in the next few years. The GSA has also defined a set of deliverables that are scheduled to be released during a 24-month period. These include a set of baseline standards for non-classified technical systems, automation requirements for both CSPs and government agencies and expanded baseline metrics for compliance.

A draft of the GSA’s expanded requirements is available for public review and comment on the FedRAMP website. Once the review period ends in March, these standards are expected to be finalized within 12 months.

Once the roadmap is confirmed, CSPs — whether currently contracting with a government agency or hoping to do so — will need to understand these standards and what’s involved in implementing them. And, as the FedRAMP initiative continues to evolve, it will be imperative that CSPs keep pace and maintain their status as certified vendors to keep partnerships in tact and build new ones.

So, what should CSPs do to prepare? The best course of action is to be proactive and start making a concerted effort to get FedRAMP compliant now. The process is a long and challenging one. However, CSPs don’t have to tackle it alone. A 3PAO-certified organization can help manage the assessment process and report results to the Joint Authorization Board (JAB). A 3PAO can also assist with consultation and training, if needed, and be a guide for the duration of the FedRAMP process.